In the ever-changing world of global data communications, inexpensive Internet
connections, and fast-paced software development, security is becoming more
and more of an issue. Security is now a basic requirement because global computing
is inherently insecure. As your data goes from point A to point B on the Internet,
for example, it may pass through several other points along the way, giving
other users the opportunity to intercept, and even alter, your data. Even other
users on your system may maliciously transform your data into something you
did not intend. Unauthorized access to your system may be obtained by intruders,
also known as ``crackers'', who then use advanced knowledge to impersonate you,
steal information from you, or even deny you access to your own resources. If
you're still wondering what the difference is between a ``Hacker'' and a ``Cracker'',
see Eric Raymond's document, ``How to Become A Hacker'', available at: http://www.catb.org/~esr/faqs/hacker-howto.html

How Vulnerable Are We?

While it is difficult to determine just how vulnerable a particular
system is, there are several indications we can use:

The Computer Emergency Response Team consistently reports an increase in
computer vulnerabilities and exploits.

TCP and UDP, the protocols that comprise the Internet, were not written
with security as their first priority when it was created more than 30 years
ago.

A version of software on one host has the same vulnerabilities as the same
version of software on another host. Using this information, an intruder can
exploit multiple systems using the same attack method.

Many administrators don't even take simple security measures necessary to
protect their site, or don't understand the ramifications of implementing
some services. Many administrators are not given the additional time necessary
to integrate the necessary security measures.

Distribution:

Conectiva

11/23/2004

shadow-utils authentication bypass vulnerability fix

Martin Schulze reported a vulnerability[2] in the passwd_check()
function in "libmisc/pwdcheck.c" which is used by chfn and chsh and
thus may allow a local attacker to use them to change the standard
shell of other users or modify their GECOS information (full name,
phone number...).
http://www.linuxsecurity.com/advisories/conectiva_advisory-5223.html

11/23/2004

bugzilla

remote vulnerability fix

Bugzilla versions prior to 2.16.7 have a vulnerability[3] which allows
a remote user to remove keywords from a ticket even without the
necessary permissions. Such an action, however, would trigger the usual
e-mail detailing the changes, making it easy to discover what happened
and what was changed.
http://www.linuxsecurity.com/advisories/conectiva_advisory-5224.html

Liam Helmer noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. Bash functions and the CDPATH variable are still passed
through to the program running as privileged user, leaving
possibilities to overload system routines.
http://www.linuxsecurity.com/advisories/debian_advisory-5228.html

11/24/2004

sudo

removes debug output

Liam Helmer noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. Bash functions and the CDPATH variable are still passed
through to the program running as privileged user, leaving
possibilities to overload system routines.
http://www.linuxsecurity.com/advisories/debian_advisory-5229.html

This update adds additional file types to the list of file types
associated with the OpenOffice.org application suite, allowing users to
open more documents with OpenOffice.org through Nautilus and Evolution.